Search form

Navigation

User menu

You are here

Optionsbleed Vulnerability

Submitted on 19. September 2017 - 10:18 by rischi.Last update on 19. September 2017 - 16:29.

IDs:

CVE-2017-9798

Keywords:

Apache, httpd, optionsbleed

Description:

Optionsbleed is a vulnerability in the Apache HTTP Server. An attacker may be able to read small memory chunks from the server using the HTTP OPTIONS method. Apache HTTP Server are vulnerable when using the configuration directive Limit together with an invalid HTTP method in a .htaccess file. All versions including 2.4.27 are affected. For further details see [1].

Airlock WAF is not affected, because .htaccess files are disabled. Airlock IAM is not affected since Apache HTTP Server is not used.

If you have to allow the OPTIONS HTTP method on Airlock WAF, for example because you want to allow Cross-Origin Resource Sharing (CORS), you can configure the following custom response action as a virtual patch on all mappings connected to a vulnerable back-end system to prevent exploitation of the vulnerability: